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REMARKS 



It should be noted that the amendments to original claims 1-47 of the present application are 
non-narrowing amendments, made solely to place the claims in proper form for U.S. practice 
and not to overcome any prior art or for any other statutory considerations. Other amended 
claims have been made to broaden the claims; remove multiple dependencies in the claims; 
remove/change any phrases unique to European practice; and to place claims in a more 
recognizable U.S. form. Other such non-narrowing amendments include placing apparatus- 
type claims (setting forth elements in separate paragraphs) in a more recognizable U.S. form. 
Again, all amendments are non-narrowing and have been made solely to place the claims in 
proper form for U.S. practice and not to overcome any prior art or for any other statutory 
considerations. 
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CONCLUSION 



Accordingly, in view of the above amendments and remarks, an early indication of 
the allowability of each of claims 1-47 in connection with the present application is earnestly 
solicited. 

Should there be any outstanding matters that need to be resolved in the present 
application, the Examiner is respectfully requested to contact John A. Castellano at the 
telephone number of the undersigned below. 

If necessary, the Commissioner is hereby authorized in this, concurrent, and future 
replies, to charge payment or credit any overpayment to Deposit Account No. 08-0750 for 
any additional fees required under 37 C.F.R. § 1.16 or under 37 C.F.R. § 1.17; particularly, 
extension of time fees. 



Respectfully submitted, 



By: 



HARNES&MCKEY & PIERCE, P.L.C 



Johi/A. Castellano, Reg. No. 35,094 




P.O. Box 8910 
Reston, Virginia 20195 
(703) 668-8000 
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METHODS FOR GENERATING IDENTIFICATION VALUEjS FOR IDENTIFYING ELECTRONIC 
MESSAGES 

Technical field 

The present invention generally relates to' methods for generating identification values for 
identifying electronic messages, the methods relying on hash functions. Embodiments of the 
methods of the invention provide novel hash or MAC (Message Authentication Code) 
functions. More specifically, the invention provides novel procedures of applying e.g. hash 
functions to data blocks derived from a message of any given length. In one aspect, the 
invention relates to a method providing an efficient universal hash function based on a delta 
universal hash function. 

Backgroun d of the invention 

Hash and MAC functions are useful for ensuring that the contents of an electronic message as 
received by a recipient is identical to the contents of the same message as sent by a sender. 
Thus, if a hash or MAC function outputs the same identification value when the function is 
applied to the sent message as the value generated as an output when the function is applied 



20 to the received message, the contents of the message as received is identical to the contents 
of the message as sent. If, however, the contents of the message have been altered, the 
hash or MAC function outputs two different identification values. 

The term "identification value" may denote a hash value or a cryptographic check-sum which 
identifies the set of data, cf. for example Applied Cryptography by Bruce Schneier, Second 
Edition, John Wiley & Sons, 1996. In case a cryptographic key is used as an input for the 



computations, the hash function is usually referred to 
Authentication Code). 1 



as a MAC function (Message 



Various hash and MAC functions have been proposed in the prior art. Procedures for applying 
such functions to a message, including procedures for breaking the message into blocks for 
processing by such functions, have also been proposed. Fig. 1 illustrates a prior art method 
for generating an identification value for identifying an electronic message, including a 
procedure for breaking a message down into blocks which are processed by hash functions. 
The method of Fig. 1 is generally disclosed in M.N. Wegman and J.L. Carter: New Hash 
Functions and their Use in Authentication and Set Equality, 1. Computer and System Sciences 
22, pp. 265-279 (1981). In this method, an electronic message is divided into a plurality of 
blocks, for example 5 blocks m s ,i«.m a , 5 . As the blocks are to be combined in groups, for 
example as illustrated in Fig. 1 in pairs of two, by application of a hash function, and as 2 
does not divide 5, a 6 th block is appended to the 5 blocks, the 6 th block simply containing the 
value 0. The 6 blocks are divided into 3 subsets, whicji are combined by application of the 
hash function h to obtain 3 resulting numbers (or blocks) m 2 ,i...m 2 ,3. As 2 does not divide 3, a 



4 th block containing the value 0 is appended, and the 
repeated to obtain m 3rl and m 3#2 , which in a final step 



above procedure of combining is 
are combined into output value m 4 ,i. 
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Accordingly, the hash function h is applied repetitively in a tree-structure compression of the 
message, such a repetitive application of a hash function being usually also referred to as a 
"hash function". The output value of the tree-structure compression may either be used 
directly as a hash value identifying the original message, or it may be processed further, e.g. 
by application of a cryptographic function to obtain a MAC value. In Fig. 1, k 1# k 2 etc. denote 
various cryptographic keys that are ppplied in the hash function h. 

It is apparent from Fig. 1 that the nurhber of hash computations (i.e. the number of 



applications of the hash function h) 
input in respect of each step, and, if 



n each step is equal to half the number of blocks used as 
2 does not jdivide the number of input blocks, the 
number of hash computations is equal to the number of input blocks plus 1 divided by 2. It 
has 

alternative 

1), which could speed up identification value generation, has been proposed. 



■ I 

been found that hash functions Require significant computational resources, but so far no 
-native to appending e.g. a 6 th b ock of data containing the value 0 (as in step 1 of Fig. 



Summary of the invention 

It is an object of preferred embodiments of the invention to provide a method for generating 
an identification value, which metho i is capab!e,of processing messages of any length. It is a 
further object of preferred embodiments of the invention to provide a method which is fast. It 
is a yet further object of preferred embodiments; of the invention to provide a method which 
is memory efficient in the sense that smaller mepiory resources are occupied than those 
required by prior art methods while maintaining a high processing speed. 

In a first aspect, the invention thus provides a rrjiethod for generating an identification value 
for identifying an electronic message by application of at least one first hash function with 
fixed compression that compresses n blocks of data into a number of blocks which is smaller 
than n or into one block, the hash function being repetitively applied in a tree-structure 
compression of the message, so thai: the message is being compressed in a plurality of tree- 
structure levels, each level receiving mi input blocks for compression, subscript i denoting a 
current level in the tree structure, tt e method comprising processing an output of the tree- 
structure compression further to obtain said identification value, 



the method being characterized in that 

i 

a residual data block is passed withcjut compression from the current level to another, 
subsequent level in case n does not 
level i. 



divide the number of input blocks mi for said current 



The step of applying at least one has;h function may comprise applying a plurality of different 
hash functions. The fixed compression may compress the n blocks of data into more than a 
single block, provided that the compression results in fewer than n blocks. Moreover, the 



fixed compression may result in one 



or more blo t cks which have different length(s) than the 



lengths of the n blocks used as an input for the compression. 
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It will be appreciated that method of the first aspect cf the present invention mainly differs 
from the prior art method discussed above with reference to Fig. 1 in that there is no need to 
append data blocks of zeros in case the number of subsets does not divide the length of the 
message, and to process such blocks of zeros by a hajsh function. Oh the contrary, the 
5 present method may be regarded as a method that leaves the residual block(s) unprocessed 
in one step of compressing by means of tljie hash function (i.e. in one level of the tree 
structure) and moves the residual block(s) one step further to a subsequent step of 
compressing data blocks by means of the hash function (i.e. to a subsequent level of the tree 
structure). Thus, hash functions are not applied as often as in the prior art method, whereby 
10 computational resources may be saved and overall processing speed increased. This will be 
further discussed in connection with the djescription of Fig. 2 below. 

I 

As mentioned above, the at least one first hash function of the method according to the first 
aspect of the invention, compresses n blocks of data into a smaller number of blocks, such as 
15 into one block. It should be understood that the scope of the appended claims generally 
extends to any fixed compression compressing a set of data of a given length to obtain a 
result of a smaller length. For example, eight data blocks of a given length may be 
compressed into three blocks of the same) length by application of the at least one first hash 
function. This example also falls within the scope of the present claims, as the three blocks 
resulting from the compression are, in the present coijitext, regarded as one block (which, 
however, has a length different from the length of each of the three blocks resulting from the 
compression). 



i 



the invention provides a method for 



or into one block, the method 



30 - 



Generally, the method according to the firfst aspect of 
generating an identification value for identifying an electronic message of any length by 
application of at least one first hash function with fixed compression that compresses n 
blocks into a number of blocks which is smaller than 
comprising: 

- dividing a set of input data derived frojm the message into a plurality of blocks; 
performing a plurality of compression jcycles, each 
o 



i'th cycle comprising: 



o 
o 



inputting m, input blocks to the cycle, mj denoting the number of input blocks 
to the i'th cycle; ; 

organizing the m s input blojcks into a plurality of subsets, each subset 
consisting of n blocks; i 

if n does not divide m,: defjining at most n-1 residual blocks; 
combining the blocks of ea;ch subset by means of said at least one first hash 
function to obtain a resulting number in respect of each subset; 
using each resulting number as input data for a next compression cycles, and 
using the residual block(s) as a part of said input data for said next cycle or for a further, 
subsequent cycle, 

obtaining, as a result of the plurality of compression cycles, a set of output data which is 
further processed to obtain said identification value. 



In a second aspect, the invention provides a method for generating an identification value for 



45 identifying an electronic message by application of at 



least one first hash function with fixed 
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compression that compresses n blocks of data into a number of blocks which is smaller than 
n or into one block, the hash function being repetitively applied in a tree-structure 
compression of the message, so that the message is being compressed in a plurality of tree- 
structure levels, each level receiving mi input blocks for compression, subscript i denoting a 
current level in the tree structure, th e method comprising processing an output of the tree- 
structure compression further to obtain said identification value, 

i 
i 

the method being characterized in that 



it comprises determining whether or| not n divides the number of input blocks m, for said 
current level i; and 

if n does divide applying said at (east one first hash function myn times; 

if n does not divide rrij: ! 

applying said at least one first hash function at most mjn times, whereby at least one 
residual data block is left unprocessed by the first hash function; and 
processing said at least one unprocessed data block by means of an auxiliary hash 
function which, in one single 
unprocessed data block into 

Preferably, for the purpose of applyi 
data are appended. 



hash operation, compresses the at least one 
}ne single block. 

I 

lg the auxiliary hash function, no blocks of zeros or other 

i . 



In case the at least one first hash function is applied less than mjn times, A times n data 
blocks may be left unprocessed in addition to the at least one residual data block, A denoting 
an integer, and the step of processing the unprocessed data blocks does in that case 
preferably comprise processing all of the unprocessed data blocks. 



It will be appreciated that the method according ito the second aspect of the invention 
provides an alternative solution to the above objects of the invention. Whereas the method of 
the first aspect of the invention comprises forwarding a residual data block to a subsequent 
level in the tree structure without applying a hash function to the residual block, the method 
according to the second aspect of the invention takes a different approach. More specifically, 
in a given level of the tree structure! the first hash function is applied fewer times than the 
truncated value of mjn, if n does not divide m if whereby n data blocks and one or more 
residual data blocks are temporarily left unprocessed. For example, if m ; equals 27, and n=2, 
then the first hash function may be applied 12 times (trunc(27/2) equals 13, and accordingly 
the first hash function is, in accordance with the Second aspect of the invention, applied at 
most 12 times). This leaves n=2 data blocks and 1 "residual data block", i.e. a total of 3 data 



blocks, unprocessed. Finally, these 2 



unprocessed data blocks are processed by the second 



hash function which performs 3:1 compression. 

Also the method according to the second aspect of the invention mainly differs from the prior 
art method discussed above with reference to Fig. 1 in that there is no need to append data 
blocks of zeros in case the number of subsets does not divide the length of the message, and 



to process such blocks of zeros by a 



hash functibn. The present method does instead apply 
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the second hash function which compresses more thai n blocks into a single block, so as to 
thereby take into account that n does not| divide nrv Again, the possibility is conferred not to 
apply hash functions as often as in the prior art method, whereby computational resources 
may be saved and overall processing speed increased 
connection with the description of Fig. 7 bjelow. 



. This will be further discussed in 



The step of applying the at least one first hash functidn less than mi/n times may include not 
applying the first hash function at all. Fonexample, if 3 data blocks are to be processed, and 
the first hash function would normally perform 2:1 compression, it would make no sense to 
apply the first hash function to 2 of the 3 blocks to bej processed. In this case, 2 data blocks 
and one residual data block are left unprocessed by the first hash function, and these three 
data blocks are then processed by the auxiliary hash function. 

In a third aspect, the invention provides a method for generating an identification value for 
identifying an electronic message, the method comprising the steps of: 

- processing at least one block of a set of data (M a ,...,M m ) derived from the message into a 
resulting number h by means of a hash function which is at least delta-universal, 
h=f(M 1/ ..., M m ); and 

- adding a number representation (M m+ i) of a further block of data derived from the 
message to the resulting number to obtain a modified resulting number, h'=h+M m+1 ; 

i 

- using the modified resulting number ft* further to obtain said identification value. 

i 

Also the method according to the third aspect of the invention differs mainly from the prior 
art method discussed above with reference to Fig. 1 in that there is no need to process all the 
data blocks derived from the message by a hash function. The present method may be 



regarded as a method that only applies a ihash function to some of the blocks derived from 
the message, and which performs an addition of non-hashed data blocks to hashed data 
blocks. In later repetitions of the steps of processing and adding, data blocks which have 
previously been hashed may become data blocks which are not hashed in such later steps, 
but which instead are added to other data blocks hashed in such later steps. As a result of 
adding data blocks rather than applying hash functions to all the data blocks, Hash functions 
are not applied as often as in the prior art method, wtjiereby computational resources may be 
saved and overall processing speed increased. This will be further discussed in connection 
with the description of Figs. 8-10 below. \ 

i 

In the method according to the third aspejct of the invention, the modified resulting number 
may be determined by the function: j 



,64 



45 



(nru+k mod 2 32 )(LSR(m 1 ,32)+LSR(k,32) mod 2 32 )+rn 2 mod 2 
where m x and m 2 denote two of said blocks of data, LSR(x,y) denotes a logical-shift-right by 
y bits of input x, and k denotes a cryptographic key, whereby m lr m 2 and k are represented 
as 64 bit unsigned integers. In respect of jthe above function, the term 
(rrb+k mod 2 32 )(LSR(m 1 ,32)+LSR(k,32) mod 2 32 ) constitutes a so-called LNH function 
known perse, which is delta-universal with regard to pie addition operator mod 2 s4 . The 
addition of m 2 results in the function being universal, however thanks to the addition of m 2 , 
the function may accept additional input in the form of one more block. 



n 
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In summary, it will be understood trat, in all aspects of the invention, hash functions are not 
applied as often as in the prior art method. As hash functions include non-linear 
computations, such as multiplications, which require more computational resources than 
linear computations, such as additiois, substantial computational resources can be saved by 
reducing the number of applications of hash functions. In preferred embodiments of the 
invention, the ultimately generated identification value is a function of ail input bits, i.e. of all 
bits of the message, so that it is ensjured that thfe security of the methods is not 
compromised. 

In the present context, the term "function whicH is at least delta-universal" should be 
understood to designate a function which is at least delta-universal with regard to a given 
addition operator, such as bitwise xpR, addition mod 2 1 , where i is an integer, or addition 
over the integers. 



Also, in the present context, the 
data, such as e-mail, electronic files 
text files, digital sound, video, etc. 



term message should be understood as any set of digital 
of any kind, 1 including digital Images, executable Hies, 



As mentioned above, the term "identification val ( ue n may be a hash value or a cryptographic 
check-sum which identifies the set of data, cf. for example Applied Cryptography by Bruce 
Schneier, Second Edition, John Wiley & Sons, 1996. In case a cryptographic key is used as an 
input for the computations, the hash function is usually referred to as a MAC function 
(Message Authentication Code). 



In a broad definition, a cryptographip 
of a cryptographic system, the key 



key may be regarded as an input value for an algorithm 
being used for initializing iterations. 



Herein, the term universal hash function is to be' understood as a member of a universal hash 
function family as defined by Carter and Wegmah: Universal Classes of Hash Functions, J. 
Computer andSystem Sciences 18, pp. 143-1541(1979), or as a member of a "e-almost- 
universar hash function family by tr e definition bf Stinson: Universal Hashing and 

Cryptology 4 CRYPTO *91", Lecture Notes in Computer 
term delta-universal is to be understood as a member of 
a w A-universal" or "E-almost-A-universal'' hash function family by the definition of Stinson: 
On the connections between universal hashing, combinatorial designs and error-correcting 
codes, Congressus Numerantium 114, pp. 7-27 (1996). 

It will be understood that the methods of the first, second and third aspects of the invention 



Authentication Codes, "Advances in 
Science 576, pp. 74-85 (1992). The 



40 may be combined in one single appl 



cation. For example, the method of one of the aspects 
may be applied in respect of selected blocks or in selected levels in the tree structure, 
whereas the method of one or two of the other aspect(s) may be applied in respect of other 
blocks or levels. 
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The invention also provides computer systems which iire programmed to perform the 
methods of the invention as well as computer program products comprising means for 
performing the methods of the invention. 

5 Brief descri ption of the drawings i 



Fig. 1 illustrates a prior art method as discussed above; 



Figs. 2 and 3 illustrate an embodiment of the method 
invention; 



according to the first aspect of the 



Fig. 4 illustrates the initial processing of an incoming message M in a method according to 
any of the aspects of the invention; : 

Figs. 5 and 6 illustrate final processing steps of one embodiment of any of the methods 
according to the invention; 

■ * 

Fig. 7 illustrates an embodiment of the method according to the second aspect of the 
invention; 

Figs. 8-10 illustrate an embodiment of the method according to the third aspect of the 
invention. 



25 Detailed des cription of the invention 

In Fig. 2, an electronic message of a given length is divided into four blocks m 1 , 1 ...mi, 4 and 
into 2 subsets of two blocks each. The subsets are thus defined by m M and m t , 2 ; m x , 3 and 
m M . The remaining block m 1#s is hereinafter referred to as residual block m 1(5 . The first part 

30 of the indices 1,1; 1,2 etc. denotes a current level in the tree structure, i.e. level 1 in the 

upper row in Fig. 2, and the second part of the indices represents a block identifier, i.e. block 
1, 2 ... 5. The blocks of each subset are combined by means of hash functions h lf which use a 
first cryptographic key k^The step of compressing the blocks of each subset results in two 
resulting numbers m 2 ,i, and m 2 , 2 , which subsequently are compressed by means of a hash 

35 function into a further resulting number m 3#1 , the hastji function using a second cryptographic 
key k 2 . Finally, the residual block m lf5 and resulting number m 3fl are compressed by means of 
a hash function into resulting number m 4 ,i, which also constitutes an output. 

In accordance with the third aspect of the, invention a id as described in detail below with 
40 reference to Fig. 10, the hash function hj pf Fig. 2 may comprise a delta-universal hash 
function h dl which is applied to one data block at a time only, and to which a second data 
block is added following the processing by the hash function. For example, in Fig. 2, hash 



function hj may be substituted by hash function h dl wjiich uses m 1#1 as an input and applies 
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cryptographic key kj or an alternative cryptographic key l^a. Data block m 1#2 may then be 
added to the output of hash function h d i. 

Fig. 3 illustrates a practical application of the method according to the first aspect of the 
5 invention applied to a message which is divided into 11 blocks mi..ra u . The application of 
Fig. 3 utilizes a minimum of memory capacity, as will be described further below. The 
numbered dashed boxes in Fig, 3 indicate the order in which the individual operations of the 
method are performed. Thus, the operations shown in dashed box 1 in the upper left corner 
of Fig. 3 are performed first. More specifically, a$ a new message is processed, two initial 

10 data blocks mj and m 2 are compressed by means of a first hash function h, which in the 
example shown in Fig. 3 is a key-dependent hash function, e.g. a universal hash function, 
that makes use of cryptographic key k*. The result of the compression is temporarily stored 
in a temporary register (or in a temporary variable) denoted "Temp", from which it is 
immediately passed on to a buffer variable b t of level 1 of the tree structure. Next, the 

15 operations of box 2 are performed, whereby data block m 3 and m 4 are compressed by the 

same hash function and the same cryptographic! key kj as applied in respect of m 2 and m 2 . In 
alternative embodiments of the invention, the hash function of box 2 may be different from 
the hash function of box 1, cf. the general discussion of different hash functions set forth 
below in connection with the description of Figs. 2 and 3. The result of the compression of m 3 

20 and m 4 is temporarily stored in the "Temp 1 ' register (or variable), this register being available 
now, as its previous contents has been moved t6 buffer variable b u cf. box 1. 

In box 3, buffer variable b x and the Temp" variable are compressed by means of hash 
function h which utilizes cryptographic key k 2 , i.e. a cryptographic key which is different from 

25 the cryptographic key kj used in the first level. The result of this compression is temporarily 
stored in the now available "Temp" register and jpassed on to a buffer variable b 2 of level 2. 
In boxes 4 and 5, the procedures described abo^e in connection with boxes 1 and 2 are 
repeated, so as to compress input blocks m 5 ..m^. As the contents of buffer variable b x have 
been utilized in box 3, this buffer variable is avajlable in box 4 for the result of the 

30 compression of m 5 and m 6 . In box 6, the contents of buffer variable ba and the "Temp" 
register are compressed, the result being temporarily stored in the "Temp" register and 
immediately thereafter compressed together with the contents of buffer variable b 2 , cf. box 
7, the result being passed on to the buffer of level 3, b 3 , via the "Temp" register. Next, as 
illustrated in box 8, input blocks m 9 and m 10 arejcompressed, the result of the compression 

35 being store in the "Temp" register and passed on to the bx buffer variable. As the hash 

function h performs 2:1 compression, and as noltwelfth block is available for compression 
with m lu block m n is simply passed on to the second level of the tree structure by being 
temporarily stored in the "Temp" register, in accordance with the first aspect of the 
invention. In box 10, the contents of bj and the contents of the "Temp" register (i.e. m^) are 

40 compressed, and the result is temporarily stored in the "Temp" register. In respect of the 
compression to be performed in level 3, no fourth block is available which could be 
compressed together with the current contents of the "Temp" register, and thus, as 
illustrated by box 11, the contents of the "Temp^ register are passed on to level 4. Finally, in 
level 4, the contents of the buffer of level 3, b 3 , and the "Temp" register are compressed to 

45 produce an output, denoted in box 12 as a buffer variable of level 4, b 4 . 



< 
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From the above discussion of Fig. 3, it will be appreciated that the result of each hash 
function is temporarily stored in the "Temjp" register and, if the buffer variable bi of the level 
concerned (i.e. level i) is available, passed directly on to this buffer variable. If the buffer 
5 variable b, is not available, then the contejnts of the "Temp" register are immediately 
compressed in the next level i+1 together with the contents of the buffer variable bi by 
means of a hash function. This procedure is carried out in respect of each application of hash 
function h (i.e. horizontally in Fig. 3) and jin respect of each level of the tree structure (i.e. 
vertically in Fig. 3) in the order described above, i.e. in the order revealed by the numbering 
10 of the dashed boxes of Fig. 3. 

i 

The memory requirements for performing! the procedure of Fig. 3 are minimized, as only one 
buffer variable b, per level and one single [temporary 1 variable are required in order to perform 
the tree-structure compression of the message. 

15 ! 

In accordance with the third aspect of the invention the hash function h x of Fig. 3 may 
comprise a delta-universal hash function fi dl which is applied to one data block at a time only, 
and to which a second data block is added following the processing by the hash function as 
generally described below in connection with Fig. 10. 



In Figs. 2 and 3, different cryptographic kjeys k may be applied in each application of the 
hash function h. In other words, each timk the hash function h is applied, a new 
cryptographic key may be used. Accordingly, in for example level 1 of Figs. 2 and 3, the keys 
denoted kj may not be the same, wherebV kj varies horizontally in the tree structure. In 
presently preferred embodiments, one single cryptographic key is, however, used in all 

single level of the tree structure. In such preferred 
applied in different levels of the tree structure, so 



applications of the hash function h in one 
embodiments, different keys k 1# k 2 ,... are 



that one single key is used in all applications of the hash function h within a single level. 

30 The cryptographic keys k lf k 2/ ... may be generated by any appropriate key generation 

method, such as in a stream- or block-cipjher system. In one embodiment, the keys may be 



generated as outputs of a pseudo-randorr 
input. In principle, any sufficiently secure 
e.g. the one disclosed in WO 03/104969, 



number generator which receives a seed key as 
pseudo-random number generator may be applied, 
which is hereby incorporated by reference. 



It will be understood that any message of any given length may be processed according to 
the principle described above in connection with Figs. 2 and 3. In Figs. 2 and 3, the number 
of bits in the message to be processed is a multiple of the length of each block. However, this 
is not always the case, and in order to process all message lengths, including those which are 

40 not a multiple of the block length, the present method may comprise the step of appending a 
set of predefined data to the message, so! that the length of the message with the appended 
set of data becomes a multiple of the length of the blocks, as illustrated in Fig. 4. The 
incoming message M is divided into a plurality of blocks, each having a predetermined block 
length, and a remainder data block of a size smaller than block length. In the example shown 

45 in Fig. 4, a series of zeros are appended tp the remainder data block, whereby the remainder 
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data block with appended zeros defines a block of the desired predetermined block length, so 
that the message eventually is split into five blocks mi..m 5 . The message may now be 
processed, e.g. as described above in connection with Figs. 2 or 3. If, in the example of Fig. 
3, it is determined that there are not sufficient b\ts available in the incoming message to 
5 define a full block % the step of appending data to the message would preferably occur at 
the time of storing m^ (i.e. the remainder data block of the incoming message with 
appended data) in the "Temp" register, cf. dashed box 9 in Fig. 3. 

. i 

The output of the tree-structure processing illustrated in Figs. 2 and 3, I.e. for example m 4 ,i 
10 of Fig. 2 and b 4 of Fig. 3, is further processed before the identification value is generated. In 
order to take the length of the message into account and thereby to ensure that two different 
messages of different lengths result in different identification values, a concatenated output 
may be generated by appending data which represent the length of the incoming message, 
as illustrated in Fig. 5. The data representing L may for example represent the total number 
15 of bits, bytes or data blocks of the incoming message. This concatenated output may 
subsequently be compressed by application of a second hash function h 2 which may 
optionally make use of a cryptographic key k^, to produce a compressed concatenated 
output. The data representing the length of the rjnessage should uniquely identify the length. 

i 

Accordingly, in a setup, in which all message lenjgths are determined as a number of bytes, 
20 then also the length of the incoming message which is appended to obtain the concatenated 
output may be determined as a number of bytesj. Otherwise, the data representing the length 
will typically represent the number of bits of the jmessage. The length L of the message may 
be known to the system in which the method is applied before processing in the tree 
structure is initiated, or it may be determined along with such processing. For example, as 
25 the incoming message is split into blocks m M ..nj, f5/ cf. Fig. 2, or nv.mn, cf. Fig. 3 (in which 
the message is split into blocks successively as the blocks are being processed in the tree- 
structure), the number of bits in the message m^y be simultaneously counted to obtain a 
measure of the length of the message. i 

30 The second hash function h 2 may be the same function as the first hash function applied in 
the tree structure, or it may be a different hash function. It may be advantageous with 
. respect to security (i.e. to minimize the probability that the same identification value may be 
generated in respect of two different messages) b> apply a strongly-universal hash function 
as h 2 . The term strongly-universal is to be understood as a member of a "strongly-universal" 

35 or "e-almost-strongly-universal" hash function family by the definition of Stinson: Universal 
Hashing and Authentication Codes, "Advances in Cryptology - CRYPTO % 91", Lecture Notes in 

Computer Science 576, pp. 74-85 (1992). \ 

■ 

In Fig. 5, a cryptographic function is applied to the compressed concatenated output. More 
40 specifically, a cryptographic key k MAC is bitwise XOR'ed with the compressed output to obtain 
a MAC value as the final identification value identifying the message. As an alternative to the 
XOR operator, any symmetric or asymmetric encryption method can be applied, such as AES 
or RSA. The cryptographic key k MA c may be generated by any appropriate key generation 
method. It may thus, for example, define a symmetric or asymmetric key generated by a 
45 stream- or block-cipher system. A sender and a recipient of the message should posses 



« 



30 
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identical keys k MA c in order for them to belable to generate identical identification values in 
respect of the same message. In one embodiment, the key may be generated as an output of 
a pseudo-random number generator whicft receives a seed key as input. In principle, any 
sufficiently secure pseudo-random number generator may be applied, e.g. the one disclosed 
5 in WO 03/104969. 

It will be understood that embodiments of the method of the invention are envisaged, in 
which no cryptographic key k MA c is applied to obtain a MAC value. In such embodiments, the 
identification value may for example be derived as the compressed concatenated output, or 
10 simply as the output of the tree-structure (compression (m 4 ,i in the example of Fig. 2 or b 4 in 
the example of Fig. 3). In such cases, the identification value would be referred to as a hash 
value, and the overall method would also be referred to as a hash function, despite the fact 
that also the individual functions h are also referred to as hash functions. 

i 

15 An example of a typical application of a hash function (i.e. identification value generation not 
involving encryption by XOR'ing with a cryptographic key k„ A c) is the identification of a 
password used for user log-on to e.g. a server. Instead of transmitting the user's password 
via a network, the hash value, i.e. identification value derived from the password, may be 
transmitted. A MAC function is typically applied for identifying a message, e.g. an e-mail 

20 message, sent from a sender to a recipierit, both of which posses an appropriate 
cryptographic key. 

Fig. 6 shows one specific way of performing the procedure of Fig. 5. In Fig. 6, the 
concatenated output is divided into separate data blocks of a given length. If the length of 
25 the concatenated output is not a multiple jof the given length, a set of predetermined data, 
e.g. a series of zeros, is appended or otherwise inserted at a predetermined position, to 
define an integer number of blocks, e.g. d -c 5 in the example of Fig. 6. The blocks Cj.-Cs are 



compressed by means of the second hash 
cryptographic key k h2 . 



function h 2 which optionally makes use of a 



To improve the quality of the identification value generated by the method according to the 



invention, i.e. to reduce the probability of 



the method generating identical values in respect 



of different messages, a further hash function (not shown in the figures) may be applied to 
the output, a further set of data derived from the output, the concatenated output, and/or 
35 the compressed concatenated output. The further hash function is particularly relevant in 
case the second hash function h 2 is identical to the first hash function hi. The first hash 
function hj may be a function different frcim the second hash 'function h 2 . 

While, in the examples of Figs. 2 and 3, h^ is shown as one specific function which is applied 
40 a plurality of times in the tree-structure compression, different functions may be applied. For 
example, two different of the h t hash functions may compress different numbers of blocks. 
The hi function or functions may compresjs a variable number of blocks. In one embodiment, 
2:1 compression is performed in one or more levels of the tree structure, and in other levels 



3:1 compression is performed. 



i 
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Alternatively, in accordance with the second aspect of the invention, various compression 
rates may be applied in one single level of the tree structure. This is illustrated in Fig. 7, in 
which 2:1 compression is performed by a first hash function \\ x on mi,i..m 1 ,«, and 3:1 
compression is performed by an auxiliary hash function h aux on mi >5 ..m, (7 in the first level. In 
5 the second level, only 3:1 compression is performed. The first hash function h x uses a first 
cryptographic key k 1# and in level 1, the auxiliary hash function uses a first auxiliary 
cryptographic key k auja , and in level 2, the auxiliary hash function uses a second auxiliary key 

kaux2» 

i 

10 It should be understood that the above description of Figs. 3-6 and the features discussed in 
relation thereto apply equally to the second aspect of the invention. 



Figs. 8-10 illustrate the method of the third aspect of the invention. The method is generally 
illustrated in Fig. 8, wherein data block mj #1 derived from a message is processed by a delta- 

15 universal hash function h d i (i.e. delta-universal 4/ith respect to the type of addition applied), 
which applies a first cryptographic key kdi. Data| block m 1#2 is then added to the number 
resulting from the delta-universal hash function jto obtain a modified resulting number m 2 ,i 
which can be used to obtain an identification val'ue for identifying the message. For example, 
the modified resulting number m 2 ,i may be applied as illustrated in Figs. 5 or 6 by using the 

20 modified resulting number as "Output", to whicH a representation of the length L of the 

message is appended to obtain the concatenated output, which in turn is used to obtain the 
compressed concatenated output, from which the MAC value is derived, as described in 
connection with Figs. 5 and 6. I 



25 Fig. 9 illustrates a similar embodiment of the method according to the third aspect of the 

invention, in which the incoming message is divided into four blocks m lfl ..m M/ three of which 
are compressed by application of an alternative jdelta-universal hash function h d2 , which 
applies one or more cryptographic keys k^. The| fourth block is added to the number resulting 
from the hash function h d2 to obtain a modified Resulting number m 2#1 which may be 

30 processed to obtain an identification value as described above in connection with Fig. 8 and 

Figs. 5 and 6. I 

j 

■ i 

Fig. 10 illustrates yet another embodiment of thjs method of the third aspect of the invention. 
In this embodiment, the method is applied in a free structure of the type described above in 

35 connection with Figs. 2 and 3, in which the message is compressed in a plurality of tree- 
structure levels. In a first level of the tree structure, incoming data block m 1#1 is processed by 
a first delta-universal hash function h dl , and incoming data block m l>2 is added to the 
resulting number of h dl to obtain m 2 ,i, which, in la second level of the tree structure, is 
processed by hash function h dl . Incoming blocks; m 1/3 and m M are processed likewise in the 

40 first level to obtain m 2 , 2/ and in the second level! m 2/2 is added to the number resulting from 
hash function h dl applied to m 2 ,j, and m 3#1 is obtained. Incoming data block m i(5 is passed 
from the first to the third level without processing thereof, as depicted in Fig. 10, in which 
the data block is referred to as m 2 , 3 in the second level and as m 3 , 2 in the third level for the 
sake of clarity. In the third level in the tree structure, the hash function h di is applied to m 34 , 

45 and m 3 , 2 (i.e. m lf5 ) is added to the resulting number to obtain m AtU from which the 
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identification value can be derived as described above in connection with Fig. 8 and Figs. 5 
and 6. 

It will be understood that the delta-univeijsal hash function defined in connection with the 
5 third aspect of the invention, embodiments of which are described with reference to Figs. 8- 
10, may be applied in the first and second aspect of the invention. For example, the so-called 
first hash function rh of the method according to the first and second aspect of the invention 
may comprise the delta-universal hash function h dx and the subsequent step of adding a data 
block to the number resulting from the delta-universal hash function h dl . In other words, in 
10 one embodiment, the method of Fig. 2 is identical to the method of Fig. 10. Likewise, in 
dashed box No. 1 of Fig. 1, hash function hi may comprise the application of a delta- 
universal hash function h dl to incoming data block m t and subsequent addition of incoming 
data block m 2 to the number resulting from the delti-universal hash function to obtain the 
result of the compression to be store in the temporary register "Temp". 

15 
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CLAIMS 



10 



15 



20 



25 



30 



1. A method for generating an identification value for identifying an electronic message by 
application of at least one first hash function with fixed compression that compresses n 
blocks of data into a number of blocks which is smaller than n or into one single block, the 
hash function being repetitively applied in a tree-structure compression of the message, so 
that the message is being compressed in a plurality of tree-structure levels, each level 
receiving m, input blocks for compression, subscript i denoting a current level in the tree 
structure, the method comprising processing anj output of the tree-structure compression 
further to obtain said identification value, ! 
characterized in that j 

a residual data block is passed without compression from the current level to another, 

i 

subsequent level in case n does not divide the number of input blocks mi for said current 
level i. 



2. A method according to claim 1, further comprising the step of inserting a set of predefined 
data at a predetermined position in the message, e.g. by appending the set of predefined 
data to the message, so that the length of the nriiessage with the appended set of data 
becomes a multiple of the length of the blocks. 

3. A method according to claim 1 or 2, wherein the tree-structure compression is performed 
until the number of blocks is less than n. 

4. A method according to claim 3, further comprising the step of concatenating the output 
with data which represent a length L of the message to obtain a concatenated output, the 
length L representing the length of the message! without said appended set of data. 

5. A method according to claim 4, wherein a hash function is applied to the concatenated 
output to obtain a compressed concatenated output, said hash function being one of: 

- the at least one first hash function; and 

- a second hash function. 



6. A method according to any of the preceding claims, further comprising applying a further 
hash function to at least one of: 
35 - said output, 

- a further set of data derived from said output, ; 

- said concatenated output, and 

- said compressed concatenated output. 

40 7. A method according to any of the preceding dlaims, further comprising applying a 

cryptographic function to said output or to a further set of data derived from said output. 



8. A method according to claim 6 or 7, wherein at least one of: 
- said at least one first hash function; 
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- said second hash function; and 

- said further hash function 
makes use of at least one cryptographic key. 



9. A method according to claim 8, wherein different cryptographic keys for the at least one 
first hash function are used in different levels of the tree structure. 

i 

10. A method according to claim 8 or 9, wherein different cryptographic keys are used in one 
level of the tree structure. 



11. A method according to claim 8 or 9, wherein the same cryptographic key is used in a 
single level of the tree structure. 



12. A method according to any of the preceding claims, wherein at least one of: 
15 - said first hash function; 

- said second hash function; and 

- said further hash function 
is a universal hash function. 

20 13. A method according to any of the preceding claims, wherein at least one of: 

- said at least one first hash function; 

- said second hash function; and 1 

- said further hash function \ 
comprises at least two different hash functions. 



14. A method according to claim 13, wherjein the at least two different hash functions 
compress different numbers n of blocks. | 



15. A method according to claim 13 or 14^ wherein at least one of the at least two different 
30 hash functions compresses a variable number n of blocks. 

16. A method according to any of claims l|3-15, wherein the different hash functions use 
different cryptographic keys. 

35 17. A method according to any of claims 8-16, comprising performing a plurality of tree- 
structure compressions of the message to; obtain a plurality of results, and concatenating the 
plurality of results into a concatenated result. 

I 

18. A method according to claim 17, wherjein different cryptographic keys are applied in the 
40 plurality of tree-structure compressions. I 

19. A method according to claim 17, wherjein partly identical cryptographic keys are applied 

in the plurality of tree-structure compressions. 

i 
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20. A computer system comprising a memory arid a processor, the processor being 
programmed to carry out the method of any of claims 1-19. 

21. A computer program product comprising means for performing the method of any of 
claims 1-19. 
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15 



20 



25 



30 



22. A method for generating an identification value for identifying an electronic message by 
application of at least one first hash function with fixed compression that compresses n 
blocks of data into a number of blocks which is smaller than n or into one single block, the 
hash function being repetitively applied in a tree-structure compression of the message, so 
that the message is being compressed in a plurality of tree-structure levels, each level 
receiving m, input blocks for compression, subscript t denoting a current level in the tree 
structure, the method comprising processing an output of the tree-structure compression 
further to obtain said identification value, 

charac terized in that 

the method comprises determining whether or not n divides the number of input blocks mi for 
said current level i; and 

if n does divide m,: applying said at least one first hash function mjn times; 

if n does not divide m f : 

applying said at least one first hash function at most mjn times, whereby at least one 
residual data block is left unprocessed by the first hash function; and 
processing said at least one unprocessed data block by means of an auxiliary hash 
function which, in one single hash operation, compresses the at least one 
unprocessed data block into one single block. 

23. A method according to claim 22, further comprising the step of inserting a set of 
predefined data at a predetermined position in the message, e.g. by appending the set of 
predefined data to the message, so that the length of the message with the appended set of 
data becomes a multiple of the length of the blocks. 

j 

24. A method according to claim 22 or 23, wherein the tree-structure compression is 
performed until the number of blocks is less than n. 



25. A method according to claim 24, further comprising the step of concatenating the output 
35 with data which represent a length L of the message to obtain a concatenated output, the 

length L representing the length of the message without said appended set of data. 

! 

26. A method according to claim 25, wherein a tjash function is applied to the concatenated 
output to obtain a compressed concatenated output, said hash function being one of: 

40 - the at least one first hash function; and 
- a second hash function. 

I 

27. A method according to any of claims 22-26, further comprising applying a further hash 
function to at least one of: 

45 - said output, 
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- a further set of data derived from said output, 

- said concatenated output, and \ 

- said compressed concatenated output. 

» 

5 28. A method according to any of claims 22-27, further comprising applying a cryptographic 

function to said output or to a further set of data derived from said output. 

■ 

29. A method according to any of claims 22-28, wherein at least one of: 

- said at least one first hash function; 
10 - said second hash function; and 

- said further hash function | 
makes use of at least one cryptographic kpy. 

30. A method according to claim 29, wherjein different cryptographic keys for the at least one 
15 first hash function are used in different levels of the tree structure. 

31. A method according to claim 29 or 30t wherein different cryptographic keys are used in 
one level of the tree structure. 1 

! 

20 32. A method according to claim 29 or 30, wherein the same cryptographic key is used in a 
single level of the tree structure. 



40 



33. A method according to any of claims 22-32, wherein at least one of: 

- said first hash function; 
25 - said second hash function; and | 

* 

- said further hash function 
is a universal hash function. 

i 

34. A method according to any of claims 22-33, wherein at least one of: 
30 - said at least one first hash function; 

- said second hash function; and 

- said further hash function S 
comprises at least two different hash functions. 

I 

35 35. A method according to claim 34, wherein the at least two different hash functions 
compress different numbers n of blocks, j 

36. A method according to claim 34 or 35L wherein at least one of the at least two different 
hash functions compresses a variable number n of blocks. 



37. A method according to any of claims 34-36, wherein the different hash functions use 
different cryptographic keys. 



i 
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48. A computer system comprising a memory and a processor, the processor being 
programmed to carry out the method of ajny of claims 43-47. 

■ 

49. A computer program product comprising means for performing the method of any of 
claims 43-47. 
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